Skip to main content

Common Exclusions


The following are common exclusion patterns for known-good activity that generates high volumes of Sysmon events. These should be tailored to what is actually present in the target environment β€” do not blindly apply all exclusions; confirm a process or behavior is genuinely known-good before suppressing it.

Don't Over-Exclude

Broad exclusions can blind Sysmon to legitimate threat activity. Adversaries that live-off-the-land (LOLBins) abuse the same binaries that are often excluded (e.g., svchost.exe, powershell.exe, cmd.exe). Exclude by specific, constrained conditions (parent process, destination IP, specific arguments) rather than broadly by image name alone wherever possible.


Windows System Processes (ProcessCreate)​

Common high-volume system process noise:

<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">

<!-- Windows Update / TrustedInstaller -->
<Image condition="begins with">C:\Windows\SoftwareDistribution\</Image>
<Image condition="begins with">C:\Windows\WinSxS\</Image>
<ParentImage condition="is">C:\Windows\System32\TiWorker.exe</ParentImage>

<!-- Windows Defender -->
<Image condition="begins with">C:\Program Files\Windows Defender\</Image>
<Image condition="begins with">C:\ProgramData\Microsoft\Windows Defender\</Image>

<!-- Microsoft Malware Protection (MsMpEng) -->
<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>

<!-- WMI Provider Host -->
<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>

<!-- Search Indexer -->
<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
<ParentImage condition="is">C:\Windows\System32\SearchIndexer.exe</ParentImage>

<!-- SVCHOST spawning common services -->
<ParentCommandLine condition="contains">svchost.exe -k DcomLaunch</ParentCommandLine>

</ProcessCreate>
</RuleGroup>

Network Connections (NetworkConnect)​

NetworkConnect is typically the noisiest event type. Target exclusions here first.

<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="exclude">

<!-- Local loopback -->
<DestinationIp condition="is">127.0.0.1</DestinationIp>
<DestinationIp condition="is">::1</DestinationIp>

<!-- Windows Update and Microsoft telemetry -->
<Image condition="is">C:\Windows\System32\svchost.exe</Image>

<!-- Windows Defender -->
<Image condition="begins with">C:\Program Files\Windows Defender\</Image>

<!-- DNS Client -->
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
<DestinationPort condition="is">53</DestinationPort>

<!-- LDAP / Kerberos on domain-joined hosts (adjust DCs to environment) -->
<DestinationPort condition="is">88</DestinationPort>
<DestinationPort condition="is">389</DestinationPort>
<DestinationPort condition="is">636</DestinationPort>

</NetworkConnect>
</RuleGroup>
Scope svchost Exclusions

svchost.exe exclusions should always be paired with additional conditions (port, destination, or parent) rather than excluding all svchost network connections. Lateral movement often abuses svchost.


Image (DLL) Loads (ImageLoad)​

ImageLoad is extremely noisy. A broad starting point for Windows system DLLs:

<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="exclude">

<!-- Signed Microsoft DLLs from System32 -->
<Signed condition="is">true</Signed>

<!-- Windows system paths -->
<ImageLoaded condition="begins with">C:\Windows\System32\</ImageLoaded>
<ImageLoaded condition="begins with">C:\Windows\SysWOW64\</ImageLoaded>
<ImageLoaded condition="begins with">C:\Windows\WinSxS\</ImageLoaded>

</ImageLoad>
</RuleGroup>
Signing-Based Exclusions

Excluding all signed DLLs is a broad suppression that can miss malicious signed binaries (e.g., compromised vendor certs, code-signed malware). Use in low-sensitivity environments only; prefer path-based exclusions in higher-risk environments.


File Create (FileCreate)​

Common high-volume file creation noise:

<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="exclude">

<!-- Windows temp and system paths -->
<TargetFilename condition="begins with">C:\Windows\Temp\</TargetFilename>
<TargetFilename condition="begins with">C:\Windows\Prefetch\</TargetFilename>
<TargetFilename condition="begins with">C:\Windows\System32\winevt\</TargetFilename>

<!-- Browser cache / temp files -->
<TargetFilename condition="contains">\AppData\Local\Temp\</TargetFilename>
<TargetFilename condition="contains">\AppData\Local\Microsoft\Windows\INetCache\</TargetFilename>

<!-- Windows Update -->
<TargetFilename condition="begins with">C:\Windows\SoftwareDistribution\</TargetFilename>

<!-- Search index -->
<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>

</FileCreate>
</RuleGroup>

Registry Events (RegistryEvent)​

Focus registry logging on suspicious keys. Exclude high-volume benign writes:

<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="exclude">

<!-- Windows telemetry and perf counters -->
<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib</TargetObject>
<TargetObject condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics</TargetObject>

<!-- Windows Update -->
<TargetObject condition="begins with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate</TargetObject>

<!-- Browser MRU / usage stats -->
<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\</TargetObject>

</RegistryEvent>
</RuleGroup>

EDR / Security Tool Exclusions​

Replace process paths and names with those confirmed in the environment:

<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">
<!-- CrowdStrike Falcon -->
<Image condition="begins with">C:\Program Files\CrowdStrike\</Image>
<ParentImage condition="begins with">C:\Program Files\CrowdStrike\</ParentImage>

<!-- Carbon Black -->
<Image condition="begins with">C:\Program Files\Confer\</Image>

<!-- SentinelOne -->
<Image condition="begins with">C:\Program Files\SentinelOne\</Image>

<!-- Tanium -->
<Image condition="begins with">C:\Program Files (x86)\Tanium\</Image>

<!-- Rapid7 Insight Agent -->
<Image condition="begins with">C:\Program Files\Rapid7\</Image>
</ProcessCreate>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="exclude">
<!-- CrowdStrike Falcon -->
<Image condition="begins with">C:\Program Files\CrowdStrike\</Image>

<!-- SentinelOne -->
<Image condition="begins with">C:\Program Files\SentinelOne\</Image>
</NetworkConnect>
</RuleGroup>

DNS Query (DnsQuery)​

DNS query logging is noisy from browsers and system processes:

<RuleGroup name="" groupRelation="or">
<DnsQuery onmatch="exclude">

<!-- Windows Update domains -->
<QueryName condition="ends with">.windowsupdate.com</QueryName>
<QueryName condition="ends with">.microsoft.com</QueryName>
<QueryName condition="ends with">.windows.com</QueryName>

<!-- Browser noise (adjust to browsers known to be in environment) -->
<Image condition="is">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image>

<!-- Local/LLMNR noise -->
<QueryName condition="ends with">.local</QueryName>
<QueryName condition="ends with">.lan</QueryName>

</DnsQuery>
</RuleGroup>